Hey all, I'm confused and hoping you all can help me. and see if you've got recommendations.

Our SonicWall has reached the end of supported life and I'm looking into replacing it. I want to go with a SonicWall because I've heard good things about their reputation, ease of config, and my past experiences with it.

The problem is I've got 3 sources telling me I should get 3 different appliances. Our setup is bound to change greatly over the next few years as I hope to have 500 computers on the network connected to a bonded T1 and possibly DSL at a later date (cable/fiber is not an option in the foreseeable future). I've got 2 public servers with regular traffic in and out.

1. My main reseller says I should go with a TZ200 because our connection isn't that fast and the appliance doesn't sit where it gets regular network traffic.

2. The person we dealt with when we bought our current SonicWall says we should get an E-Class NSA 5500 Reason being the amount of computers we'll have on the network in 3 years.

7 Replies

What is the role of the firewall? Is it just for protocol blocking and NAT, or are do you need VPN or SSL VPN services? Might you be interested in content/web filtering? Will you have remote users or remote offices?

You might want to consider looking at the Juniper line of firewalls. In many ways, they're simaler to Sonicwall in how they move and feel so there won't be that big a learning curve on them. One of the major reasons I like them is the support is excellent if you need it.

Maybe I need to clarify a bit as my original post didn't clearly state my question. I am definitely sticking with SonicWall as my appliance of choice.

The difference between the low end TZ series, the mid-range NSA, and the high end E-Class NSAs and the fact I've been told that I should get one or the other is a bit confusing to me. Do I need to get something as robust as SonicWall's E-Class NSA or will the basic TZ series do?

Here are some product info on what I've been advised to get so you can see the different levels of service they provide.

1st Post

Based upon your implementation of this unit as a boundary FW and not a multi-segment interior FW, It is my belief that the TZ-200 or TZ-210 Should be more than sufficient. The only time you would need a E-series is if you are segmenting in a large datacenter, or if you are a service provider, neither of which appears to be true here.

Given the boundary and possible single DMZ zone, even the Standard NSA series would appear to be overkill.

The limiting factor is not the port count or the agregate throughput of the FW, but the I/O on the WAN side.

Hi Nate. I would probably say NO on a TZ series with 500 hosts behind it. I agree that an E-series is overkill too. What model are you running now (the old sonicwall)? If your current model seems to be supporting your needs ok, then my first suggestion would be to find a current model with comparable throughput and connection specs, and probably go with the next model up.

If you've even considered going with a TZ-200, then an NSA 240 would be plenty; its 3 times the throughput! 500 users is a lot to put behind a TZ I think, but hey, if they're not making a ton of connections out then who knows. It also depends what those two servers are doing. Are they web servers that are taking a lot of connections from the outside world?

The suggestion for a NSA e-5500 is probably due to 3 factors: (1) the number of hosts you have an your LAN, (2) they're probably figuring in that you'll want to use some of the gateway security features of the firewall, which reduces the throughput substantially and (3) they're probably tryin to make a couple bucks. Sonicwall's site loves to suggest overkilled models so they can't be blamed if you input something wrong and you buy a model that ends up being a bottleneck because of what their site suggested.

Look at it this way. We're running a Cisco ASA 5520 that has 140mb of internet bandwidth (between 2 circuits) with about 3,000 internet users and a massive DMZ running ALL of our countries' websites and more which take a lot of connections. That ASA firewall supports 450mbps of firewall ("stateful") throughput, max 280,000 connections (12k/second), has 512mb of memory, and supports 150 vlans. That falls in around the NSA240 for stateful throughput, the NSA5000 for connections (out of box), and the mid-range NSAs for memory. With that being said, in your shoes, I would probably pick up an NSA 240. Its a lot of bang for the buck and its better to overkill than to underkill, and have more than enough room to grow into.

Keep in mind that resellers can get you a try-and-buy deal with Sonicwall. If they say they can't, they can.... Sonicwall basically signs off on the try-and-buy on the assumption that you're gonna buy it because most people who do this do.

Hope this helps.

0

This topic has been locked by an administrator and is no longer open for commenting.